Building Business Resilience
Kroll Global Fraud & Risk Report 2016/17
In March 2011, a powerful earthquake and subsequent tsunami in Japan caused a chain of events that resulted in the worst radioactive crisis since Chernobyl. Across the Pacific, and hidden from public view, a group of senior U.S. government leaders and their staff met nonstop. The day-to-day responsibilities of many of these leaders had nothing to do with crisis response. Among them were environmental lawyers, physicians, meteorologists, and policy specialists. Most knew each other by face and name, because only months earlier they had participated in a quarterly exercise that addressed a hypothetical nuclear emergency inside the United States. Many had also worked together during the BP Deepwater Horizon disaster, so when a crisis occurred, no time was lost building relationships.
Crisis planning is crucial for every organization and sector.
While the benefit of planning ahead seems obvious, a quarter of all respondents to Kroll’s 2016 Global Fraud and Risk survey have not implemented or planned preparedness measures for possible threats such as natural disasters, terrorist incidents, data breaches, or workplace disruptions.
Business readers could learn from government in this space. In planning for resiliency in the event of a crisis, there are three principles to consider:
1. Think of preparedness as a process, not a state, and commit to ongoing improvement.
Strive to be more prepared tomorrow than you are today. Give careful thought to the relationships you may need in a crisis before something happens. Because the hours immediately after a crisis are the most important, it is critical to plan how such an event will influence your people and reputation. Consider moderated exercises with a cross-section of your leadership. Carefully study the fall-out from a competitor’s critical incident. Those interested in building stronger enterprises should find themselves asking “what would we do if that happened to us?” There are many low and no-cost ways of conducting drills to gauge your readiness. The next time you have a ”bad weather day,” for example, analyze whether your employee notification system worked – assuming you have one, it’s the same notification system you would use for an active shooter. Building a culture of resilience within your organization starts at the top. The CEO’s commitment to corporate readiness and resilience should be visible to all employees, and one way to achieve this is to demonstrate C-suite interest in the success of things like employee alert and notification programs.
2.The most visible issue is not always the biggest risk – think hard about risk as a function of both likelihood and consequence.
Determining the likelihood of a specific event is actuarial and informed by intelligence: It is not an exercise in worrying about the most recent headlines. “Risk” is calculated as likelihood multiplied by consequences, so a deep understanding of likely consequences is critical to making risk-informed decisions. It requires substantial input from a cross-section of leadership.
For example, in addition to damaging employee morale, data breaches can also result in legal liability, regulatory problems, and severe and lasting reputational damage. In assessing the consequences of an event, all of these aspects should be included, along with the costs (consulting, legal, settlement, and public relations) of resolving it. Consideration of the transaction costs associated with crisis navigation is also critical – legal fees, public relations fees, and outside crisis management services are expensive.
Similarly, a campus sexual assault profoundly affects a school’s community, damages the life of a young person, and carries a host of reputational, liability, and morale problems for the school. Advance planning that takes into account the full impact of these problems, including legal and public relations costs, can help mitigate negative impacts.
Tabletop exercises are an excellent tool for advance planning, as are guided discussions and brainstorming sessions. Capturing knowledge gained from past experiences and observing other enterprises is critical.
3. Ensure that actual risks inform resource allocation.
During the Japan disaster, U.S. government leaders worried first about life safety issues and second about collateral consequences. They made a risk-informed and defensible decision about how to spend their time, which ultimately is their most valuable resource.
Senior government leaders had access to the necessary data to make careful and crucial decisions. They were aided by multi-agency legal response teams that had learned from the Deepwater Horizon crisis. The relationships built on the margins of exercises and disaster sped up the response. There is no reason businesses should be any less prepared for an uncertain future.
Crisis planning is crucial for every organization and sector. Thus, a stadium operator or professional sports franchise dealing with a limited budget should assess the likelihood and consequences of a terrorist attack vs. an active shooter or medical emergency. They need to resource against the highest-risk event – not necessarily the highest-profile event. Risk-informed decision-making provides leaders with a logical and defensible way of triaging resources, and should be observed ahead of time – not during a crisis.
Learn more about fraud and risk statistics and trends -- as well as innovative risk management strategies and best practices -- in Kroll’s annual Global Fraud & Risk Report 2016/17